Home   |  TAGnotes   |   TAGblog   |   TAGchat   |   Services   |   Contact Us   |   Site Map
 
 
Back
Has YOUR ebaY Account Been Exposed to thePublic Eye?
 

29 Sep 2007
26 Sep 2007 Updated 28 Sep 2007
Updated 29 Sep 2007 to add Fact 5


On Tuesday 25 Sep 2007 at 5:42 AM ebaY time, a hacker posted 29 to 50 pages of ebaY user information on the ebaY Trust and Safety discussion board (at approx 40 threads per page that is between 1100 and 2000 user IDs). The information was posted by using the user ID and account of the user whose information was posted, and included the ebaY user ID, email address, phone, name, street, city, state, zip, country, feedback info, what site they registered on, user status, powerseller status, payment method they used to pay ebaY, credit card number (with expiration date), credit card CVV2 code (the three digit security code on the back of the card), whether they are id verified, if they have an ebaY store and which site that is registered on, and if they are PayPal verified or not verified. The threads that contained the info also had a signature at the bottom of the post - SGI Inc. - emocnI gnitareneG rof snoituloS (Solutions for Generating Income spelled backwards) SGI Inc. is the company name used by Vladuz, a hacker who has demonstrated that he has the ability to access ebaY databases.

This first image shows the ebaY Trust and Safety discussion board thread list, with a detail of the thread listings.

The next image is the actual thread page you saw when clicking on the thread link from the previous image. We have masked parts of the info to protect the innocent.

Note the Vladuz signature on the bottom line For more screen shots of the pages, please go to TAG CHAT

After around 90 minutes of exposure, ebaY shut down the Trust and Safety board, occurring at around 7:15 AM, after trying to remove the thread posts at a time (the hacker was faster at posting than ebaY was at removing). One poster on the board discussing this incident, who saw the information, ran one of the credit card numbers posted through his merchant account verification, and it came back correct. Other posters said the CC info was not correct. Board posters got screenshots and compiled a list of user IDs so folks could check to see if their user ID was posted. When one board poster put the list on her ebaY Me page, ebaY removed the page and gave her a pink slap (an official violation notice with the threat of suspension).

We have a list of several hundred of the IDs we have compiled from some of the screen shots we had access to and those lists posted by other folks on various boards (including ebaY's) around the net. You can view the list we compiled at this link. This list is NOT complete as it is believed there were over 1500 user IDs posted.
Compromised User ID List

The first ebaY responses were posted on their discussion boards, and then removed, and were an obvious effort to cover themselves . Xavier's posts were removed soon after they were posted.
--------------
xman@ebay.com View Listings | Report 26-09-07 00:31 EST 58 of 61 Hi all, we're looking into why this happened however I've confirmed with the US teams that the credit card information was indeed false for all the accounts.

Looks like it only affected that 1 US Board but the engineers are diligently working to ensure this won't ever happen again.
Xavier
The eBay Team
-------------------
xman@ebay.com View Listings | Report 26-09-07 00:47 EST 82 of 88 The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator.
Xavier
The eBay Team

---------------

Trust & Safety forums issue this morning

Posted by eBay Chatter on September 25, 2007 at 02:15 PM in General | Permalink

Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

I'll update this story later as we have more to share.
----------------

Various ebaY spokespersons also made statements to various press inquiries and calls to them by power sellers etc, that this was a hoax, that the information had been posted by a disgruntled user with access to the API, that the information was not valid, that the credit card numbers were not real and if they were real, they did not come from ebaY's database and were unrelated to info on ebaY. ebaY also said the information was real but had been phished from users off ebaY (this is ebaY's favorite excuse for security breaches even though it has been proven to be false on many occasions). What ebaY did not do (and still has not done as of this posting) was post anything on the announcement board, informing users of the problem and warning them to watch their accounts and charge cards for possible breaches. Users have reported that ebaY has been making calls to those whose information was posted, to inform them of the breech. This is required by California law, whenever a breach of user information occurs.

With all the rumor, hearsay and damage control going on, there are still some hard facts that need to be looked at:

Fact 1 - Someone had the ability to post on ebaY's boards with the user ID and account of another person. This takes having an ebaY password for the account, or the ability to access and use accounts without passwords. This person was able to post threads at a rate of speed faster than ebaY's ability to remove the threads, leading them to have to shut down the Trust and Safety board completely.

Fact 2 - TAG had access to a small arbitrary sampling of the user account pages posted and checked what information we could against what is available to ebaY and PayPal users, and to those using the internet. Here is what we found:

*The User ID, email address, date registered, if they had a store or not, and feedback numbers registered/shown on ebaY matched 100% of the time
*The PayPal information as to the user having a verified account or not, was correct 83% of the users
*The ebaY ID verified information was correct 83% of the users
* When a reverse lookup online was used on the phone numbers to check name/addresses listed, 33% did not match the name or address, 50% were unlisted so were unavailable to check, and 17% were correct for the info shown
* When an address check was run using the white pages online with the name given, 66% of the information did not match, 17% were correct and 17% were listed as unavailable

We could not check the credit card numbers, and decided these people had probably been harassed enough about this, so we would not call them directly to ask them to verify. But, if you are one of the people whose accounts were posted and your credit card info does match that shown on the ebaY T&S board, and particularly if that information is the information used on ebaY's site, please feel free to contact us and let us know and we will update this information here.

Fact 3 - ebaY always chooses to lie, cover their back and waffle rather than coming out and telling the truth, whether that truth is that they just don't know what happened or how, or that their system had been compromised in some way (which it evidentially had been in at least some manner - see fact 1). They lie so readily and frequently that it is impossible to believe anything they say.

Fact 4 - Evidence of problems with ebaY's system can be seen via the hundreds and thousands of scam listings posted on ebaY every day. Though the furor of reporting about this has fizzled out since the mass of Vladuz reporting earlier this year, the incidence of these listings is an every day occurrence on ebaY.

Fact 5 - When you viewed the pages of threads the hacker was posting, each thread had an alpha numeric code, which was the thread title, followed by the User ID of the person whose account was being used to post the thread and who also was the account holder of the information that was exposed in the thread (see first image above). This alpha numeric number DOES appear to come directly from ebaY, and is the code ebaY assigns each account that registers on any ebaY site. To see similar codes, go to your own feedback profile, on an account you have had for a while (or if all your accounts are new, go to the feedback profile of a seller who has been on ebaY for several years, or view our samples below) and look at some of the oldest feedback left. You are sure to see some feedback postings, where the account is no longer registered, and instead of a user ID, there is an alphanumeric code, much like those posted by the hacker. This is factual evidence that ebaY uses such coded user identification.

Here is a screenshot example of such an account, with the ID history inserted -

It is impossible to determine from what we can observe, what criteria ebaY uses to decide when to post the account number rather that the user ID on NARU accounts. Possibly a person who insists ebaY delete all user info from the site? ebaY, as always, remains the Hotel California, you can check out but you can never leave. We also theorize that the account ID number that shows on your My ebaY account information page, is the last 10 or so digits of this alpha numeric code ebaY assigned to your account when you registered. We will continue to pursue this information to see if we can absolutely confirm these numbers were correct for those accounts posted by the hacker. If they are correct, then it is more concrete evidence that the hacker DID access ebaY's back end, and that they did get their information from ebaY's site (which means ebaY is storing your credit card numbers and the 3 digit security codes on the back of your card). It would also add further proof that ebaY is publicly lying about where the hacker got the information from.

Since ebaY obviously does not know how deep this problem goes, it is possible that ALL user information on the ebaY site has been breached, so if you have ever used ebaY, and have any sensitive information recorded on the site - such as a credit card or bank account information - you need to monitor your accounts for possible problems. Unfortunately, ebaY is not the only site vulnerable, online or off, so regular checks of your credit card bills and bank accounts should now be a way of life, individuals MUST make this part of their usual routines. The other thing that is abundantly clear in all this, is that ebaY is NOT secure, even if we just consider the user ID email address factor that ebaY is so adamant about in their hiding user IDs from users, but obviously not from scammers, but then ebaY's lack of secure systems has been obvious since we first reported on the activities of Vladuz and the Chinese hackers, 11 months ago.

In an interesting addendum to the above information exposure, and as further evidence of both ebaY's faulty security and proof that phishing had nothing to do with the information exposure, Vladuz posted on the ebaY DE board showing that he had taken over the account of ebaY lawyer Scott Noyce. He posted the following information on the about me page of snoyce@ebay.com

For those of you who have followed the Vladuz/ebaY adventures, you will know that it was Scott Noyce who sent the threatening letter to Falle Internet DE, on ebaY's behalf, trying to intimidate them into removing information about Vladuz's ability to access ebaY's back end at will. See ebaY Tries Intimidation

We received invaluable assistance with this article and credit: Doc at EBAY MOTORS SUCKS - this is a good board to check for the day to day hacker listings on ebaY and especially for anything going on at ebaY Motors
Thanks to Jessica Anderson for the information on ebaY user account numbers. View Jessica's items for sale at -
mysteriouscutie
The posters on the ebaY Seller Central Discussion Board
The posters on the ebaY AU Discussion Boards
And several ebaY users with the guts to posts User ID lists on and off ebaY, so they were available to all ebaY users despite ebaY's efforts to hide as much information as possible.

Want to assist TAG in continuing its work? Sign up for a voluntary subscription to TAGnotes, and provide support that will keep information coming to your email boxes and the lights on at our websites. To purchase a voluntary subscription, click on the button that follows. If you do not want to pay for the voluntary subscription but still want to receive our newsletter, enter your email address below the button.